Apple Pay is one of the most sensitive services offered by Apple because it stores users’ credit card and payment information. But while it’s quite convenient to just flash your watch at a point-of-service terminal to pay for something (when it actually works), it may not be very secure. It seems as if thieves can easily use your Apple Pay account if they swipe your Apple Watch.
Thieves will like the Apple Watch
We reported on Thursday that the lack of a Find-My-iPhone-like feature on the Apple Watch makes it a prime target for thieves. The device can simply be reset to factory settings to disconnect it from the original owner’s iPhone, meaning that unlike the iPhone, thieves can easily sell stolen Apple Watches because they don’t require verification of the previous Apple ID and password.
And as if the value of the Apple Watch itself isn’t enough to lure thieves into targeting the device, being able to use the owner’s Apple Pay account to buy things offers yet another reason the device could become popular among thieves.
It’s all about slight of hand
In a post on Wonder How To, Nelson Aguilar explained how thieves could use your Apple Pay account without your passcode. They demonstrate how it works in a video which we’ve embedded below. The Apple Watch is supposed to be secure by detecting when it is being taken off the owner’s wrist. It then requires that a passcode by entered after it’s removed.
However, the problem is that the device apparently can’t tell the difference between a wrist and a finger. If someone can take your Apple Watch off your wrist using their finger on the sensors on the back of the watch, they’re able to get into your Apple Pay information because the watch doesn’t know it’s been taken off your wrist. While it’s on the wrist, it doesn’t require that the passcode. In addition, there’s a one-second delay that gives thieves a huge opportunity.
One second with the Apple Watch
One second may not seem like enough time to make a difference, but according to Aguilar, there is a one-second delay between when the Apple Watch senses that it’s being taken off the owner’s wrist and when it locks itself, thus activating passcode protection. The point of this delay is to keep the watch from constantly locking itself while the wearer is shaking their wrist, running or doing anything else that would break the watch’s contact with their skin for a split second.
The folks at WonderHowTo were able to exploit the one-second delay by just touching the sensor on the back of the watch while removing it from the wearer’s wrist. This kept the passcode protection from being activated. Without the requirement for a passcode, the thief is able to access everything on the Apple Watch—including Apple Pay.
According to Aguilar, the Milanese Loop and Leather Loop bands, which are magnetic, make this trick especially easy because it doesn’t take much to pull them off the wearer’s wrist. After swiping the Apple Watch off the owner’s wrist very carefully without triggering the passcode lock, the thief can then use it to buy items with the owner’s Apple Pay account. The information itself is encrypted inside of Apple Pay and much of it can’t be accessed without the iPhone that it’s paired with, so at least the device is secure in this way.
As a result, it’s unlikely the thief could pull payment information off the watch, but just being able to swipe the watch is basically just like stealing someone’s wallet because it gives the thief access to whatever payment cards are stored on it—even though they can’t get the actual numbers from the cards to use them elsewhere.